42
Can you hack it?
Managing the cybersecurity challenge
To secure cyberspace, technology alone is not enough. Strong management
plays an equally important role.
John Dowdy,
Joseph Hubback,
Dennis Layton,
and James Solyom
Cyberspace, according to the US government, is
Europe has similar concerns: the United Kingdom’s
“the interdependent network of information
National Security Strategy, for example, cites
technology infrastructures,” including “the
“hostile attacks upon UK cyberspace by other states
Internet, telecommunications networks, computer
and large-scale cyber crime” as a Tier 1 threat.3
systems, and embedded processors and
controllers in critical industries.”1 Governments
1 National Security
Presidential Directive 54
and Homeland Security
Presidential Directive 23,
as per Cyberspace
policy review, p. 1.
2 Ibid.
3 A strong Britain in an
age of uncertainty:
The national security
strategy, UK government,
October 2010.
Yet governments today have a poor understanding
and corporations worldwide are beginning
of the cybersecurity landscape and the scale of
to recognize the fact that securing cyberspace—
the challenge. One reason for this lack of clarity is
protecting its confidentiality, integrity, and
that the term “cyberattack” is often used to
availability—is of paramount importance.
describe everything from low-probability cata-
In its 2009 cyberspace policy review, the Obama
infrastructure) to higher-frequency threats (such
strophic events (such as devastating attacks on
administration asserted that “threats to
as cyberespionage and intellectual-property
cyberspace pose one of the most serious economic
theft). In addition, there is a dearth of reliable data
and national security challenges of the 21st
on the economic cost of attacks on government.
century for the United States and our allies.”2
Most top-down estimates of the scale of the issue
Dieter Braun
Can you hack it? Managing the cybersecurity challenge
4 See “Sex, lies and cyber-crime
surveys,” Dinei Florêncio
and Cormac Herley, Microsoft
Research, June 2011.
5 For more on the impact of
ever-increasing amounts
of data, see Big data: The next
frontier for innovation,
competition, and productivity,
McKinsey Global Institute,
May 2011.
6Ponemon Institute 2009
Annual Study: “Cost of a data
breach”; Symantec Internet
Security Threat Report 2010,
PricewaterhouseCoopers
Information Security Breaches
survey, 2010.
7US General Accounting Office,
“Testimony before the Subcommittees on Air and Land
Forces and Seapower and
Expeditionary Forces, Committee on Armed Services, U.S.
House of Representatives,”
GAO-10-478T, March 24,2010.
8McAfee and Center for
Strategic and International
Studies (CSIS), “In the
dark: Crucial industries
confront cyberattacks,” 2011.
43
are based primarily on questionable assumptions
suggests that attacks will continue to increase
that yield implausible figures4 and thus do not
in frequency and impact.
offer a sound basis for decisions about policy or
government interventions.
The taxonomy is helpful for understanding the
cybersecurity landscape, but to identify and
In this article, we propose a cybersecurity
plan for the most serious threats, government
taxonomy to help government leaders understand
leaders must be able to quantify the impact
the landscape, and a “value at risk” framework
of attacks. What, for example, was the cost of
that government leaders can use to prioritize and
the alleged loss of data relating to the F-35 Joint
focus on the most serious threats. It is our
Strike Fighter? What was the cost to the US
firm belief that cybersecurity is first and foremost
government of the release of its data by Wikileaks?
a management problem, not simply a technical
There is a lack of data, from private enterprise
problem, and therefore our taxonomy and frame-
or government, to help answer these questions.
work take a senior-management perspective.
Various estimates put the direct cost of a cyber-
We also outline four principles for a best-practice
attack on a large company at between $1.6 million
management response to cyberthreats. Adhering
and $7.2 million.6 At the extreme, the reported
to these principles will enable government to act
attacks on the F-35 program could compromise
as an effective protector of valuable assets.
the US government’s estimated $323 billion
development cost.7
Understanding the landscape and the
value at risk
Extrapolating such estimates into economy-wide
We have developed a six-part taxonomy of the
figures is problematic. How many attacks of
cybersecurity problem (Exhibit 1). The logic
this magnitude occur, and with what regularity?
behind our taxonomy is that an attack will occur
In a 2011 survey, more than 80 percent of
if an attacker has both the capability and the
critical-infrastructure providers reported being
incentive to strike at vulnerabilities in a target’s
the victim of large-scale cyberattacks or
assets. Today, attackers’ capabilities and
infiltrations.8 And many incidents that are de-
incentives are increasing—the former due to
tected go unreported, in part because reporting
technological developments and the latter
requirements vary by jurisdiction but also
due to the fact that more data and assets are now
because there are clear disincentives—especially
accessible online.5 The relative lack of trace-
for corporations—to report breaches.
ability means that attackers continue to feel little
threat of retribution. Meanwhile, targets’
We have used our taxonomy to create a relative
vulnerabilities are decreasing, but at a slower pace
value-at-risk analysis that offers government
than the increase in attackers’ capabilities, which
leaders insights into the likelihood and impact of
To identify and plan for the most serious threats, government
leaders must be able to quantify the impact of attacks
44
McKinsey on Government Autumn 2011
McKinsey on Government 2011
Cyber security
Exhibit 1 of 2
Exhibit 1
The taxonomy of cybersecurity helps government leaders
understand the landscape.
4
Targets
2 Capability
5
Vulnerability
6
Assets
1 Attackers
3 Incentive
Four groups of attackers1
a. Governments
b. Enterprises
c. Cybercriminals
d. Cyberterrorists or “hacktivists”
Capability
The ability to steal, hijack, impair,
or damage
Incentive
The motive to attack
1 Members
6 Assets
Four types of target entity
a. Data (such as IP2,
a. Public sector
customer
records, or
b. Private enterprise
classified national secrets)
c. Individuals
b. Systems, which vary in
d. Critical national infrastructure (CNI)
criticality from low (eg, informational Web sites) to high
5 Vulnerability
(eg, nuclear monitoring systems)
Can be technical (eg, lack
of a firewall) or human
(eg, employees being tricked
by phishing e-mails)
of multiple groups can work together in a single attack, in either a coordinated or an uncoordinated way.
property.
2Intellectual
attacks for each combination of attacker and
liberties—were informed by available data,
target (Exhibit 2). We see value at risk as a com-
our experience working in both the public and
bination of three elements: the attacker’s
private sectors, and extensive interviews with
capability, the asset’s vulnerability, and the rel-
leaders and IT specialists worldwide.
ative financial and nonfinancial costs of the attack.
Our estimates of relative costs—which take into
As the exhibit shows, the highest value at
account financial value but also factors such
risk applies to enterprise-held intellectual property
as national security and the protection of civil
(IP). IP is both extremely valuable and
Can you hack it? Managing the cybersecurity challenge
45
McKinsey on Government 2011
Cyber security
Exhibit 2 of 2
Exhibit 2
A value-at-risk analysis offers insights into where the most
serious threats are.
Estimation of value
at risk relative to
existing protection
An attack could be
consistent with the
attacker’s incentives
Low
Medium
High
Targets and assets
Attackers
Incentives
Public sector
Sensitive
Classified
information information Systems
Government
Strategic
advantage
Private
enterprise
Financial
gain
Cybercriminals
Financial
gain
Cyberterrorists,
hacktivists
Protest,
fun,
terror
Private enterprise
IP1
CNI2
Non-IP
data
Systems Systems
Individuals
Personal
information Systems
War
1Intellectual
2Critical
property.
national infrastructure (eg, power station).
vulnerable. It is easily stolen from electronic
concern: the threat from foreign governments to
systems, often without the theft even being
critical national infrastructure (CNI). Here, the
noticed. We estimate the value of the S&P 500’s
very high relative costs are dispersed across a
IP to be between $600 billion and $1.2 trillion.9
wide range of assets, locations, and sectors, thus
Governments have a critical interest in ensuring
reducing the risk of a catastrophic attack. Further-
the protection of IP due to its importance to
more, given that the primary threat to CNI is
both economic growth and the government’s
from other governments, an attack on CNI systems
own defense investments (for example, IP held by
could be construed as an act of war—and is
defense suppliers).
therefore less likely, as there are implicit retaliatory threats already in place.
9Based on discounted value
of research-and-development
expenditures and corroborated by the value of
intellectual-propertyrelevant intangible assets on
S&P 500 balance sheets.
Medium value-at-risk attacks should be a secondlevel priority. In the private sector, these
Another group of medium value-at-risk assets
are primarily attacks on non-IP assets, such as
consists of government systems and classified
customer data. Another medium value-at-risk
data. For example, we estimate the UK public
46
McKinsey on Government Autumn 2011
sector’s maximum loss from cyber-enabled
compass the entire spectrum of network-enabled
billion.10
assets, including those that may not tradition-
fraud to be $5.2
Although significant,
this figure is small in comparison with the value
ally be seen as at risk (such as systems that are not
at stake for private-sector IP losses. Furthermore,
online but that may be connected to the outside
most governments already invest heavily in
world through USB ports). The audit should also
reducing the vulnerability of internal data, thus
consider assets held by other organizations,
reducing the risk of attack.
especially suppliers. The alleged compromise of
the F-35 plans, for example, followed intrusions
A management challenge
into the systems of two or three contractors rather
Responding to the threat of cyberattacks requires
than the systems belonging to the Department
more than simply increasing spending on tech-
of Defense (DOD).11
nical defense mechanisms such as firewalls and
antivirus software. It requires senior-management
The second step is to conduct a risk assessment to
attention and a broad range of both technical
gauge the impact and likelihood of attacks on
and nontechnical capabilities.
each asset. The organization should estimate both
financial and reputational impact using a rel-
There are four principles that underlie a best-
ative scale (such as a simple low/medium/high).
practice management response to the cyber-
A distributed denial-of-service (DDOS) attack
security threat. They apply equally at any level of
on the Treasury Department’s Web site, for in-
government; the assurance questions for each
stance, may rank low for financial impact and
principle enable all managers to test the effective-
medium for reputational impact. Then, for
ness of their response.
each asset, the organization should estimate the
likelihood of a successful attack, again using
Define and prioritize risks
a relative scale—taking into account the attacker’s
“Do we have a clear understanding of our portfolio
incentive, the attacker’s capability, and the
of network-enabled assets and their respective
target’s vulnerability. For example, a DDOS attack
value at risk? Do we have sufficiently robust best
on the Treasury Web site may be rated high for
practices and expertise in-house to adequately
attacker incentive and capability and medium
protect them?”
for vulnerability.
To manage a cybersecurity program effectively,
The third step is to categorize assets according to
leaders must clearly define what they are
value at risk. Often two categories will suffice:
protecting and prioritize the threats they face.
lower value-at-risk assets (such as informational
We suggest a three-step process to define and
Web sites), which existing best practice should
prioritize risks.
cover, and higher value-at-risk assets (such as vital
The first step is to conduct an organization-wide
Some of these measures—more advanced security
systems), which require additional measures.
10McKinsey analysis based on
National Fraud Authority
Report, 2010, Her Majesty’s
Revenue and Customs data.
11“Computer spies breach
fighter-jet project,” The Wall
Street Journal, April 21, 2009.
asset audit. Leaders must identify the assets—
and vulnerability management, for example—
normally, the data and systems—that could be at
may involve building deep internal expertise or
risk from a cyberattack. The audit should en-
contracting for external assistance.
Can you hack it? Managing the cybersecurity challenge
47
Assign responsibility for cyberthreat mitigation
administrator rights or conducting simulations of
“Who are the named and empowered individuals
cyberattacks to test resilience).
responsible for our highest-priority networkenabled assets? Who is responsible for setting
Process and procedure. Procedures must be
and executing our cybersecurity strategy?
established to limit and mitigate the impact
What is the process for linking those individuals
of attacks. Responsibility in this area includes
so that we have a consistent and coordinated
ensuring that information about attacks is
approach that does not undermine the efficiency
available to leaders within the business (for
of our operations?”
example, predictive threat analysis based
Cybersecurity is a cross-functional issue.
and that data assets are suitably categorized
Organization-wide responsibility for policy should
(for example, working with business owners to
rest with a board member of the department
determine appropriate encryption levels).
on aggregating and analyzing e-mail headers)
or agency. Below board level, organizations should
clearly define responsibility for cybersecurity
People. Personnel policies must be in place
so that they can take a comprehensive series of
to minimize risk. This includes providing
actions to mitigate threats.
training to support the policy and regularly
testing compliance.
Leaders should assign responsibility for cybersecurity in three areas. Ownership of each
Supplementing the organization-wide policies,
area may be delegated to the relevant department
leaders should assign high-risk assets to
(for instance, the human-resources director
individuals to ensure that cybersecurity threats
could be accountable for people policies). The
are seen as a business risk rather than simply
three areas are as follows:
12 For some threats, addition-
ally assigning responsibility
by threat vector may be
appropriate—giving (often
technical) teams or individuals the responsibility of
tackling a particular
threat (for example, distributed denial-of-service
attacks across all Web sites
operated by a government
department).
an IT problem—for example, protection of health
records may be the responsibility of an oper-
Technology. Technology must be used to max-
ations manager. The risk owner, however, should
imum advantage to counter cyberattacks.
not be the same person who has business respon-
The organization must have the level of technical
sibility for an asset, so as to avoid conflicting
capabilities required and should prioritize
incentives or priorities: an owner of classified
technical spending in the areas of highest risk.
data, for example, may want to improve function-
Basic security best practices should be embedded
ality by combining data sets—at the expense
within the architecture (for example, limiting
of security.12
48
McKinsey on Government Autumn 2011
Manage the performance of those responsible
Develop a cyberattack contingency plan
“What is the basis for managing the performance
“What is our plan if we experience a significant
of those responsible for the protection of our
security breach? How will we communicate
network-enabled assets? How are we performing
internally and externally?”
against those assessments?”
Governments must have a robust response plan
Key performance indicators (KPIs) for the indi-
in the event of a successful cyberattack. A best-
viduals responsible for cybersecurity should
practice plan includes three phases: crisis manage-
include metrics mirroring the three areas for
ment, recovery, and postmortem.
threat mitigation, as follows:
The first phase is immediate crisis management,
Technological KPIs. These KPIs point to the
or how the organization should respond when
number and type of electronic touchpoints, both
it detects an attack. This should feature two ele-
internal and external, and highlight the quality of
ments: a communications response and a system
management of these connections. An example
response, both of which should be proportionate
of such a KPI is the number of days that elapse
to the impact of the attack.
between Microsoft issuing a critical software
update and the entire organization installing it.
The communications response, typically owned by
the head of public relations, should aim to give
Process and procedural KPIs. These KPIs can
stakeholders the information they need to know.
include data-policy indicators that measure the
This is particularly important for governments,
success of data segmentation and risk-assessment
given the likelihood of media and public interest.
activities (for example, the proportion of data
Key stakeholders will vary depending on the area
that are suitably encrypted) and operational-
of government attacked and should be identified
policy indicators that measure the implementation
in advance. For example, if there is an attack on a
success of policy (for example, the number of
system for sharing patient information among
attempted security-policy breaches within a
hospitals, the stakeholders may include hospital
certain period).
staff, nonhospital doctors, patients, dataprotection authorities, and other organizations
People KPIs. People KPIs measure the success
using similar systems. Immediately following a
rate of training, employee conformity to security
DDOS attack on its Web site, the United Kingdom’s
guidelines, or employee knowledge and use of
Serious Organised Crime Agency (SOCA) prompt-
best-practice e-mail behavior. They may be
ly issued a media statement describing the extent
assessed through spot tests.
of the attack and informing the public that it had
taken its Web site offline.13 Some news reports
To support these KPIs, organizations should put
characterized the attack itself as embarrassing for
in place a performance-management review
SOCA, but its communications response was
system and a set of incentives and consequences.
best practice.
Organizations should also ensure accurate
13“Soca website taken down
after LulzSec ‘DDoS attack,’”
BBC News, June 20, 2011.
flow of information on the frequency and type of
The system response, the main goal of which is
attacks, as well as on compliance with manage-
to terminate or ring-fence the breach, is normally
ment practices.
owned by the head of IT. Again, the response
Can you hack it? Managing the cybersecurity challenge
49
should be commensurate with the impact of the
response plan. The response plan should include a
attack. For example, an agency should not
board-level report that details the agreed-on
necessarily sever its IT communication links for
actions to be taken, with clear time frames and
a relatively low-level DDOS attack—but it may
owners for each. A successful postmortem
want to cut off access in the event of a significant
may include supporting a criminal investigation.
intrusion or hijack of its systems. Organizations
should codify and practice these measures
beforehand, not develop them on the fly. Once an
organization contains the breach, it should
Cybersecurity is a growing and ever-changing
initiate backup systems (such as a mirror Web
challenge. Government responses and policies
site). A crucial part of the system response should
regarding cybersecurity should not be static but
be to inform IT departments in other govern-
instead should be continually adapted and
ment organizations of the nature of the attack so
refreshed as new knowledge becomes available.
that they can upgrade their protection. For
While existing efforts to share knowledge
example, detection of a targeted phishing attack
among organizations (such as the forums hosted
on the DOD should trigger a warning to all other
by the US Office of Cybersecurity and Commu-
US government departments.
nications) are laudable, there is still too little
The second phase is recovery, which is pre-
resulting in organizations not being as well
knowledge sharing when it comes to cybersecurity,
dominantly a technical response that builds on
prepared for attacks as they could be. A greater
the immediate system response in the pre-
level of collaboration is particularly important
vious phase. The purpose is to repair damaged
among leading targets such as governments,
systems and data, fix the vulnerability that
advanced industries, and financial institutions.
led to the attack, and bring systems back online.
Within the public sector, sharing should happen
An ineffective recovery response leaves the
at many levels—not only shared information
target exposed to more attacks, which can lead to
and shared storytelling but shared action as
further embarrassment and cost.
well—reflecting the interconnectedness of
government departments.
The third phase is the postmortem, normally
enacted by the corporate risk owner. The purpose
of the postmortem is self-evaluation: to flush
out the causes of the attack and prevent a similar
one from recurring, to investigate attackers
and their motives and explore opportunities for
restitution, and to evaluate the success of the
John Dowdy is the global leader of McKinsey’s Aerospace and Defense practice. He is a director in the London office,
where Joseph Hubback and James Solyom are consultants and Dennis Layton is a principal. The authors wish
to thank Tucker Bailey, Assaf Egozi, Scott Gebicke, James Kaplan, Edward Lock, Chris Rezek, Giacomo Sonnino, and
Allen Weinberg for their contributions to this article. Copyright © 2011 McKinsey & Company. All rights reserved.